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(54) Secure data processor with cryptography and tamper detection 

(57) The present invention is embodied in a 
Secured Processing Unit (SPU) chip, a microprocessor 
designed especially for secure data processing. By inte- 
grating keys, encryption/decryption engines and algo- 
rithms in the SPU the entire security process is 
rendered portable and easily distributed across physical 
boundaries. The invention is based on the orchestration 
of three interrelated systems: (i) detectors, which alert 
the SPU to the existence, and help characterize the 
nature, of a security attack; (ii) filters, which correlate 
the data from the various detectors, weighing the sever- 
ity of the attack against the risk to the SPU's integrity, 
both to its secret data and to the design itself; and (iii) 
responses, which are countermeasures, calculated by 
the filters to be most appropriate under the circum- 
stances, to deal with the attack or attacks present. The 
present invention, with wide capability in all three of the 
detectors, filters and responses, allows a great degree 
of flexibility for programming an appropriate level of 
security/policy into an SPU-based application. 
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Description 

1. BACKGROUND. 

5 [0001 ] This invention relates generally to integrated circuits for electronic data processing systems and more specif- 
ically to the architecture, implementation and use of a secure integrated circuit which is capable of effectively preventing 
inspection, extraction and/or modification of confidential information stored therein. 

[0002] There are many applications in which information has to be processed and transmitted securely. For example, 
automated teller machines (ATMs) require the secure storage and transmission of an identifying key (in this context a 
10 password or PIN number) to prevent unauthorized intruders from accessing a bank customer's account. Similarly, pay- 
per-view (PPV) cable and satellite television systems must protect keys which both distinguish authorized from unau- 
thorized subscribers and decrypt encrypted broadcast television signals. 

[0003] Typically, one or more integrated circuits are used to process the information electronically. These integrated 
circuits may themselves store internal confidential information, such as keys and/or proprietary algorithms for encrypt- 

15 ing and decrypting that information, as well as implement the encryption/decryption "engine." Clearly, there is a need 
for integrated circuits which are capable of preventing an unauthorized person from inspecting, extracting, and/or mod- 
ifying the confidential information processed by such integrated circuits. Further, it is sometimes desirable to destroy 
certain confidential information (e.g., the keys) and preserve other confidential information (e.g., historical data, such 
as accounting information used in financial transactions) upon detection of intrusion. 

20 [0004] One problem with existing security systems is that the confidential information (keys, encryption/decryption 
algorithms, etc.) is, at some point in the process, available to potential intruders in an unencrypted ("cleartext") form in 
a non-secure environment. What is needed is a single secure integrated circuit in which the keys and encryp- 
tion/decryption engine and algorithms can be embodied and protected from intruders. Such an integrated circuit would 
effectively ensure that the information being processed (i.e., inputs to the chip) is not made available off-chip to unau- 

25 thorized persons except in encrypted form, and would "encapsulate" the encryption/decryption process on the chip 
such that the keys and algorithms are protected, particularly while in cleartext form, from a variety of potential attacks. 
[0005] Existing secure integrated circuits typically contain barriers, detectors, and means for destroying the confiden- 
tial information stored therein when intrusion is detected. An example of a barrier is the deposition of one or more con- 
ductive layers overlying memory cells inside an integrated circuit. These layers prevent the inspection of the memory 

30 cells by diagnostic tools such as a scanning electron microscope. An example of a detector and destroying means is a 
photo detector connected to a switching circuit which turns off power to memory cells inside a secure integrated circuit 
upon detection of light. When power is turned off, the contents of the memory cells, which may contain confidential infor- 
mation, will be lost. The theory behind such a security mechanism is that the photo detector will be exposed to light only 
when the enclosure of the integrated circuit is broken, intentionally or by accident. In either event, it is often prudent to 

35 destroy the confidential information stored inside the integrated circuit. 

[0006] One problem with existing security systems is the "hard-wired" nature of the process of responding to potential 
intrusions. Such systems are inherently inflexible because it is very difficult to change the behavior of the security fea- 
tures once the integrated circuit has been fabricated. The only way to alter the behavior of these security features is to 
undertake the expensive and time-consuming task of designing and fabricating a new integrated circuit. 

40 [0007] Another consequence of a hard-wired architecture is that it is difficult to produce custom security features for 
low volume applications. This is because it takes a considerable amount of time and money to design, test, and fabri- 
cate an integrated circuit. Consequently, it is difficult economically to justify building small quantities of secure inte- 
grated circuits, each customized for a special environment. 

[0008] There are many situations in which it is desirable to use the same secure integrated circuit, yet have the ability 
45 to modify the security features in accordance with the requirements of the application and environment. For example, if 
the secure integrated circuit is used to process extremely sensitive information, it will be prudent to implement a con- 
servative security "policy" - e.g., destroying all the confidential data (e.g., keys) inside the integrated circuit upon detec- 
tion of even a small deviation from a predetermined state. On the other hand, if the information is not very sensitive, and 
it is not convenient to replace the secure integrated circuit, the security policy could be more lenient - e.g., action could 
so be taken only when there is a large deviation from the predetermined state. 

[0009] Thus, it is desirable to have a secure integrated circuit architecture in which a broad range of flexible security 
policies can be implemented. 

2. SUMMARY OF THE INVENTION. 

55 

[001 0] The present invention is embodied in a Secured Processing Unit (SPU) chip, a microprocessor designed espe- 
cially for secure data processing. By integrating the keys and the encryption/decryption engine and algorithms in the 
SPU, the entire security process is rendered portable and is easily distributed to its intended recipients, with complete 
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privacy along the way. This is accomplished by the following SPU-based features: positive identification and reliable 
authentication of the card user, message privacy through a robust encryption capability supporting the ^«ypto- 
Graphic standards, secure key exchange, secure storage of private and secret keys, algorithms, certificates or, for 
example, transaction records or biometric data, verifiability of data and messages as to their alteration, and secure 
5 authorization capabilities, including digital signatures. 

[0011] The access card could be seen as a form of electronic wallet, holding personal records, such as one's driver s 
license, passport, birth certificate, vehicle registration, medical records, social security cards, credit cards, biometric 

information such as finger- and voiceprints, or even digital cash. 

[001 21 A personal access card contemplated for everyday use should be resilient to the stresses and strains of such 
10 use. i.e. going through X-ray machines at airports, the exposure to heat if left in a jacket placed on a radiate* a mistyped 
personal identification number (PIN) by a flustered owner, etc. Thus, in such an application, the SPU could be pro- 
grammed with high tolerances to such abuses. A photo detector triggered by X-rays might be cued a few moments later 
to see if the exposure had stopped. Detection of high temperature might need to be coupled to other symptoms of attack 
before defensive action was taken. A PIN number entry could be forgiving for the first two incorrect entries before tem- 
is oorary disabling subsequent functions as is the case with many ATMs. 

[001 31 For an application like a Tessera Crypto-Card, a secure cryptographic token for the new Defense Messaging 
System for sensitive government information, the system might be programmed to be less forgiving. Handling proce- 
dures for Tessera Card users may prevent the types of common, everyday abuses present in a personal access card. 
Thus erasure of sensitive information might be an early priority. 
20 [0014] Various encryption schemes have been proposed, such as where a user creates and authenticates a secure 
digital signature, which is very difficult to forge and thus equally difficult to repudiate. Because of a lack of portable per- 
sonal security, however, electronic communications based on these schemes have not gained widespread acceptance 
as a means of conducting many standard business transactions. The present invention provides the level of security 
which makes such electronic commerce practical. Such a system could limit, both for new and existing applications, the 
25 number of fraudulent or otherwise uncollectible transactions. 

[001 5] Another possible application is desktop purchasing, a delivery system for any type of information product that 
can be contained in electronic memory, such as movies, software or databases. Thus, multimedia-based advertise- 
ments tutorials, demos, documentation and actual products can be shipped to an end user on a single encrypted CD- 
ROM or broadcast though suitable RF or cable channels. Virtually any content represented as digital information could 
30 be sold off-line. i.e. at the desktop, with end users possibly permitted to browse and try such products before buying. 
[0016] The encryption capabilities of the SPU could be employed to decrypt the information, measure and record 
usage time, and subsequently upload the usage transactions to a centralized billing service bureau in encrypted form, 
all with a high degree of security and dependability. The SPU would decrypt only the appropriate information and trans- 
fer it to a suitable storage medium, such as a hard disk, for immediate use. , ^.^^honWII 
35 [0017] Information metering, software rental and various other applications could also be implemented with an SPU- 
based system, which could authenticate users and monitor and account for their use and/or purchase of content, while 
securing conf idential information from unauthorized access through a flexible security policy appropriate to the specific 

[Ow'w^This pay-as-you-go option is an incentive to information providers to produce products, as it minimizes piracy 
40 by authenticating the user's initial access to the system, securing the registration process and controlling subsequent 
use thereby giving end users immediate access to the product without repeated authorization. 
[0019] Other aspects and advantages of the present invention will become apparent from the following description o 
the preferred embodiment, taken in conjunction with the accompanying drawings and tables, which disclose, by way of 
example, the principles of the invention. 

* BB1EE ppsmiPTiQN OF THE DRAWINGS. 
[0020] 

FIG. 1 is a simplified block diagram of the apparatus in accordance with the present invention, showing the Secured 
Processing Unit (SPU) for performing POPS. 



45 



50 



FIG. 2 is a simplified block diagram of the Power Block shown in FIG. 1 . 
55 FIG. 3 is a schematic representation of the Silicon Firewall. 

FIG. 4 is a schematic representation of an embodiment of the Silicon Firewall shown in FIG. 3. 
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FIG. 5 is a schematic representation of an alternative embodiment of the Silicon Firewall shown in FIG. 3. 

FIG. 6 is a block diagram of the System Clock shown in FIG. 1 . 

FIG. 7 is a schematic representation of the Ring Oscillator shown in FIG. 6. 

FIG. 8 is a block diagram of the Real Time Clock shown in FIG. 1 . 

FIG. 9 is a flowchart of the firmware process for performing the Inverting Key Storage. 

FIG. 10 is a schematic representation of the Inverting Key Storage. 

FIG. 1 1 is a block diagram of an embodiment of the Metallization Layer Detector shown in FIG. 1 . 

FIG. 12 is a schematic representation of an alternative embodiment of the Metallization Layer Detector shown in 



FIG. 13 is a schematic representation of a second alternative embodiment of the Metallization Layer Detector 
shown in FIG. 1 . 

FIG. 14(a) is a flowchart of the firmware process for performing the Clock Integrity Check. 
FIG. 14(b) is a flowchart of the firmware process for performing the Power Integrity Check. 
FIG. 15 is a flowchart of the firmware process for performing the Bus Monitoring Prevention. 
FIG. 16 is a flowchart of the firmware process for performing the Trip Wire Input. 
FIG. 1 7 is a flowchart of the firmware process for performing the Software Attack Monitor. 
FIG. 18 is a flowchart of the firmware process for performing the Detection Handler. 

FIG. 1 9 is a simplified representation of the stages of the Filtering Process, including correlating the detectors and 
selecting the responses. 

FIG. 20 is a flowchart of the firmware process for performing the filtering of detectors and selection of responses in 
the context of a simple SPU application; in this instance, using an SPU-equipped PCMCIA card as a digital cash or 
debit card. 

4. DETAILED DESCRIPTION. 

a. General Architecture . 

[0021] A flexible architecture in accordance with the present invention permits extension and customization for spe- 
cific applications without a compromise in security. One physical embodiment of this invention is a single-chip SPU that 
includes a 20-MHz 32-Bit CPU, based on the National Semiconductor NS32FV16 Advanced Imaging and Communica- 
tions microprocessor, but lacking that chip's Digital Signal Processing (DSP) unit. 

[0022] Referring to FIG. 1 , the gross features of the SPU architecture are described. This description is not meant to 
be a literal description of the SPU layout, as some features have been moved or regrouped in order to gain a better con- 
ceptual understanding of the principles underlying the present invention. The SPU's Micro Controller 3 is isolated from 
all off-chip input - such input regulated by the External Bus Interface Block 9 and the general purpose I/O Port Block 1 
-instead receiving programmed commands via an Internal Data Bus 10 from the on-board ROM Block 7. In one 
embodiment, the ROM Block 7 is configured at 32 KBytes, and the battery-backed RAM Block 8 is configured at 4 
KBytes. The Internal System Bus 10 carries all the major signals among the SPU peripherals, such as the address and 
data lines, read and write strobes, enable and reset signals, and the Micro Controller clock signal. CTTL 25. 
[0023] The System Clock Block has a programmable internal high-frequency oscillator, and is the source, through 
SYSCLK 35, for the Micro Controller clock signal CTTL 25, which governs all peripheral functions. 
[0024] The Real Time Clock 5 for the SPU follows the IEEE 1212 standard, which specifies control and status register 
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architecture, and which builds upon and significantly enhances the UNIX time format (UNIX time being the number of 
seconds elapsed since January 1 , 1 970). The Real Time Clock 5 is implemented through a binary ripple counter which 
is driven via RTCLK 29 by an off-chip external 32.768 KHz quartz crystal 14 in conjunction with RTC Oscillator 14 cir- 
cuitry. Through an offset in battery-backed RAM 8, for example, the Real Time Clock 5 provides UNIX time, and can 
5 implement a host of time-based functions and time limits under ROM Block 7 program control. One firmware routine 
stored in the ROM Block 9 cross-checks the System Clock 2 and Real Time Clock 5 so as to overcome tampermg with 
the latter. 

[00251 The I/O Port Block 1 is a general-purpose programmable input/output interface which can be used to access 
off-chip RAM, and meet general I/O requirements. Off-chip RAM (not shown) would be typically used for information 

w that cannot be accommodated internally but, for security and performance reasons, still needs to be closer to the SPU 
than main system memory or disk storage. This information may be protected by modification detection codes, and may 
or may not be encrypted, depending on application requirements. In addition to serving as a memory interface, several 
signals on this port can be used to implement cryptographic alarms of trip wire inputs, or even to zero inputs or keys. 
[0026] The External Bus Interface Block 9 is the communications port to the host system. In one embodiment, it is 

is the means for getting the application commands as well as data to and from the SPU, and is designed to match the ISA 
bus standard requirements. 

[0027] The Power Block 1 3 switches between system and battery power depending on system power availability. 
Power from an external battery (not shown) is supplied to the RTC Block 5, the RAM Blocks and a Status Register 11 
through VPP 24 as well as off-chip RAM (nor shown) through VOUT 23 when system power is not available. The Power 
20 Block 13 also provides signals PWRGD 27. DLY_PWRGD 26 and CHIP_PWRGD 28, which, respectively, start the Sys- 
tem Clock 2. reset the Bus Controller 4 and enable the isolation of the battery-backed parts of the circuit from the non- 
battery backed parts through the Power Isolation 1 2. 

[0028] A Silicon Firewall 20 protects the internal circuitry from any external asynchronous or otherwise anomalous 
signals conditioning the inputs from the I/O Port Block 1 via PIN lines 32 or the External Bus Interface 9 via 

25 ADDR/DATA lines 33. the RESET 30 to the Bus Controller 4, as well as from a host of security detectors. Some inter- 
nally generated signals, such as the output of the Real Time Clock 5, are similarly conditioned. 
[0029] The Status Register 1 1 is the repository of all hardware detector signals arrayed through the device to detect 
various attempted security breaches. Detectors may include a Photo Detector 16, Temperature Detector 17. Metalliza- 
tion Layer Detector 18 and any Additional Detectors 1 9 (represented in ghost), for example: high/low voltage detectors. 

30 vibration detectors, sand detectors. Each of these detectors may convey one or more bits of information which, in one 
embodiment, are stored in the Status Register 1 1 . The Status Register 1 1 may also store internally generated signals, 
such as the ROLLOVER 34 signal from the Real Time Clock 5 and the Valid RAM and Time (VRT) bit. used to verify 
the integrity of the information stored in the RAM Block 8 and the time counter in the Real Time Clock 5. 
[0030] In one embodiment, a DES Engine 6 is provided as a cryptographic engine to encrypt and decrypt data using 

35 its DES algorithm. Alternative embodiments of cryptographic engines may be implemented entirely in hardware or in a 
combination of hardware and software, and may use other cryptological algorithms, including RSA or secret algorithms 
such as RC2 RC4 or Skipjack or combinations thereof. The DES Engine 6 receives keys and data for the crypto- 
graphic process from the RAM Block 8 under the control of the Micro Controller 3. The data used could be application 
data supplied from the External Bus Interface 9 or protected data from the RAM Block 8. The DES Block 6. in one 

40 embodiment, performs a decryption of a 64-bit block in 1 8 clock cycles. Thus, with an SPU rated at 20 MHz, a single 
decryption will take approximately 90 ns, which amounts to a decryption rate of 8.9 Mbytes per second. 
[0031 ] Typically, the SPU receives "messages" in encrypted form. The cryptographic engine (e.g. DES Engine 6) uses 
keys for example, "session keys" specific to a particular application transaction or "session". The cryptographic engine 
is thus used to encrypt or decrypt the messages, or perform other cryptographic operations as is well-known in the art. 

45 In addition to providing secure message transfer, the SPU also provides secure key transfer. By having, or indeed even 
generating a "master key" internally (using any of the well-known key generation techniques for public or secret key 
algorithms), the SPU can receive session keys in encrypted form and, treating them like messages, decrypt them with 
the cryptographic engine using the master key. Conversely, the SPU can encrypt and send messages in a secure man- 
ner. The master key, the decrypted session keys and other sensitive information (e.g. the encryption/decryption algo- 

50 rithms) are stored in secure rewritable memory on the SPU, as described below. 

i. Power Block . 

[0032] The security requirements of the SPU impose special requirements on the power supply. As the Real Time 
55 Clock 5 is used to maintain accurate time and the RAM 8 is used to store and maintain information, both for the field life 
of the product, each must have a continuous source of power, VPP 24, which here is supplied by the Power Block 13. 
[0033] Referring now to FIG. 2. the battery VBAT 21 and system VDD 22 voltages are supplied to the Power Switching 
Circuit 101. This circuit uses a conventional analog comparator to determine the higher of the two voltages. VDD 22 
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and VBAT 21 , and provide such voltage as VPP 24 to the internal circuitry and as VOUT 23, which could be used as a 
voltage supply for off -chip RAM, for example. The Power Switching Circuit 101 also provides a PWRGD 27 signal, which 
is used to indicate whether the entire SPU chip is powered through VDD 22 (the high state), as opposed to only the 
battery-backed sections being powered via VBAT 21 (the low state). In one embodiment, the threshold for this switch is 
5 when VDD 22 exceeds 1 .2 times VBAT 21 . If the external battery is dead, VBAT 21 is effectively zero, and PWRGD 27 
goes high as soon as VDD 22 is turned on. 

[0034] The PWRGD 27 signal, as not originating from the Internal Data Bus 1 0, would represent a security risk within 
the circuitry inside the Silicon Firewall 20, if left untreated. However, unlike other signals that are passed through the 
Silicon Firewall 20, PWRGD 27 is used to start the System Clock 2 ( as discussed below, and thus cannot be condi- 
10 tioned and synchronized by the Silicon Firewall 20 in the manner those other signals are treated. Thus, the Power 
Switching Circuit 1 01 conditions the PWRGD 27 signal by a low-pass filter, which acts as a "glitch eater to prevent any 
rapid changes in the resultant PWRGD 27 signal and give it a sufficiently narrow bandwidth as to admit to the internal 
circuitry. 

[0035] Two counters, PWRUP Counter 102 and PWRDN Counter 103 are provided to produce DLY_PWRGD 26, a 

is delayed version of PWRGD 27, as clocked by the system clock CTTL 34 signal. These counters may be conventional 
devices as is well known in the art. In one embodiment, this DLY^PWRGD 26 signal is used as an input to the AND gate 
31 incident to the Bus Controller 4, as shown in FIG. 1 , thus assuring the SPU is always powered up in the reset state. 
The DLY_PWRGD 26 and PWRGD 27 signals are combined through an AND gate 114 to produce another sianal 
CHIP_PWRGD 28. ~ " , 

20 [0036] The CHIP_PWRGD 28 signal is provided to prevent current flow from the battery-backed circuitry to the rest 
of the circuit that is not powered when the system power VDD 22 is removed, and thus allow for the orderly shutdown 
of the non-battery-backed sections. This signal acts as an early detection system for the system power going away. 
Referring to FIG. 1 , the CHIP_PWRGD 28 signal is used by the Power Isolation Circuit 12 which isolates the inputs and 
outputs of the Real Time Clock 5, RAM 8 and Status Register 11 from non-battery-backed sections of the chip. 

25 CHIP_PWRGD 28 is conditioned in the manner of the Silicon Firewall 20 described below; this process has the added 
advantage of preventing any invalid writes to the RAM 8 or Real Time Clock 5 when the power source is being switched. 
[0037] As described above, the DLY_PWRGD 26 signal may be used as a reset. However, if the PWRUP Counter 102 
is powered up in the wrong state, it may affect the reset operation of the rest of the device. The state machine in 
PWRUP Counter 1 02 could power-up in a state of continual reset owing to the dual requirements of powering tip without 

30 reset, and delaying the stopping of CTTL 34 clocking upon power down. To overcome this problem, a separate analog 
circuit V CC PUD 1 04 is provided, with inputs SET_PWUP 1 1 0 and CLR_PWUP 111, which respectively, set and clear the 
output VCCPWUP 107. The V CC PUD 104 circuit also monitors VDD 22 such that VCCPWUP 107 will also clear if VDD 
22 falls below approximately 2V. In this embodiment, VDD 22 is supplied by the Power Switching Circuit 101 via VREF 
115. 

35 [0038] The operation of the PWRUP Counter 102 and PWRDN Counter 103 in conjunction with V CC PUD 104 is thus 
as follows. On power up, until the system power VDD 22 comes up above 1 .2 times VBAT 21 , VCCPWUP 112 acts as 
a reset to PWRUP Counter 102 and PWRDN Counter 103; afterwards PWRGD 27 and consequently VCCPWUP 112 
will come up, triggering the start of the PWRUP Counter 102. Seven clock cycles later, as clocked by CTTL 34, the 
DLY^PWRGD 26 and CHIP_PWRGD 28 signals will go high. Conversely, when VDD 22 comes down, before it dips 

40 below 2V, it will drop below 1.2 times VBAT 21, thus PWRGD 27 will go low, starting the PWRDN Counter 103 via 
inverter 108. Eight clock cycles later, the PWRDN Counter 103 will trigger the SHUTDOWN 113 signal, which will acti- 
vate CLR_PWUP 111, causing VCCPWUP 1 1 2 to go low, resetting the PWRDN Counter 103 via AND gate 107 and 
the PWRUP Counter 1 02 via inverter 1 09. Thus, if the PWRGD 27 signal is lower for longer than seven clock cycles the 
entire device is reset as if power has been completely removed. This delay takes into account transients in the power 

45 supply where VDD 22 goes high but dips below 2V briefly before returning to an acceptable level. 

ii. Alarm Wake Up . 

[0039] One embodiment of the present invention disables detection capability when the SPU is running on battery 
so power VBAT 21 only. In an alternative embodiment, in the absence of system power, VDD 22, non-battery backed parts 
of the SPU are temporarily powered through VBAT 21 . As represented in ghost in FIG. 1 , if any detector triggers a sig- 
nal, the OR gate 39 would send an ALARM 38 signal to the Power Block 13. 

[0040] With further reference to FIG. 2, if VBAT 21 alone was sufficiently high to power the whole SPU, a suitably mod- 
ified Power Switching Circuit 101, would upon triggering by the ALARM 38 signal; (i) generate a PWRGD 27 signal 
55 much as seen before; (ii) generate a new signal. APWRGD 40, to indicate that the SPU was operating under alarm- 
triggered "emergency" power; and (iii) switch VREF 1 1 5 from VDD 22 to VBAT 21 so as not to interfere with the power- 
ing up process. In the continued absence of adequate VDD 22, a SLEEP 41 signal received by the Power Switching 
Circuit 1 01 would make PWRGD 27 and APWRGD 40 go low, switch VREF 1 1 5 back to VDD 22, and so trigger a power 
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down much as seen before. 
Hi. Silicon Firewall . 

[0041] A common assumption, when defining a security model, is that everything inside a system is 
Sing outside is not protected. In any effort to plan for security features, it is crucial to establish a clear understand- 
^sSbcunlry and to define" the threats, originating outside the boundary. ™ 5 J 
defend itself In the case of the SPU. the system boundary is the silicon boundary, or equivalent!* the proof the SPU 
ScC ?he components inside the system boundary are of two types: those responsible for >™m»»"^ 
of the system- and those responsible for performing other functions. Separating the two types of components is he 
bo S^JSi Mcunly Perimeter, with the area between the security P^^J^™ *^ 
the silicon firewall The silicon firewall's role is thus to defend the security perimeter. One aspect of this role for exam 

X^^S^^ '"p* 5 ,rom outside the security perimeter reaching inside untrea ; ,npu may 

drive the system into unpredictable and uncontrollable states. 
„ S3T The Micro Controller 3 is one of the least trusted components in the SPU, precsely because rt . diff .cuh to 
verify all the multitudinous states of a micro controller. Consequently, the Micro Controller 3 m a SPU shoufo ber pro- 
ved from asynchronous or otherwise abnormal inputs, i.e.. signals which are outside the normal operating mode of 
he Micra Conquer 3. Examples of abnormal inputs are signals which have disallowed input levels (e.g.. s V*»*£ 
have neither valid high nor valid low logic levels) and signals which have timing trans.t.ons which are out-of-specrf.ca- 
5£S?2ly * bSt signals externa, to the SPU need treatment, but all internal signals which are asynchronous to 
the Micro Controller must be treated by special protection circuitry. eami( . n „H llrt0 r 
[0043] A common technique to prevent asynchronous and abnormal inputs « to equ,p all inputs to 
chto with Schmitt trigger devices coupled with latch circuits, which thereby ensure that s.gnals cannot change state 
tS^V^vmM by the semiconductor chip. However, it is difficult to fabricate Schmitt triggers. Further- 
mo e Schm tt triggers are slow because of hysteresis effects. The SPU according to the present invents uses a SH- 
^n FifewS' deSn to protect all interfaces to the Micro Controller 3. One of the designs of the S.hcon F.rewall involves 
r S teten^chine FIG 3 shows one embodiment of a state machine 710 which could be used as a Sihcor .Rrewal State 
maSfneTo comprised a data register 712. the state of which is controlled by a clock 714. In this embodiment, state 
mach ne 7 0 opera tesls a four t-state machine. During any time other than t1 . data is locked out of data registers 7 1 2 
^7 input date (if available) is latched into an input port 716 of data register 712. However, data is not mailable to he 
outpul Srt 71 " of data register 712 until t3. Consequently, any metastable states of the .nput data are nullfed by the 

SmThS? shows an embodiment of a data register 720 which can be advantageously used in state ^achine Tia 
Raster 720 comprises two D flip-flops 722 and 724. The output terminal 726 of flip-flop 722 .s coupled to the input 
temSJ Soff^ A clock signal is sent to the clock terminals 728 and 729 of flip-flops 722 and 724. respec- 

^Sn^SLa^i signal, which is generally asynchronous, is applied to the input tergal 732 ol M flip-f I* 722 
ts state (high or low) is latched into flip-flop 722 only at the rising edge of the first c lock pulse. kept the 

same urli. !he rising edge of the second clock pulse. As a result, the output signal at terminal 726 of flp-flop 722 
remains at the same state from the rising edge of the first clock pulse to the rising edge of the second clock pulse, 
reaardless of the state of the input signal between the two rising edges. 
pSS The £te3 the output terminal 726 of flip-flop 722. which corresponds to the external signal at the rising edge 
of the first clock pulse, is latched into flip-flop 724 at the rising edge of the second clock pulse. 

terminal 734 of flip flop 724 will have a state equal to the state of the external signal at the nsmg edge of an earlier clock 

45 [0047] It can be seen from data register 720 that the input is sampled at a time determined (i.e.. synchronized) by the 
dock pulses. In addition, any abnormal signal is filtered by flip-flop 722. Consequently, the signal connected to the 
embedded controller is a normal and synchronized signal. . . . Btaia 

[0048] FIG. 5 shows an alternative embodiment of a data register 740 which ™ b % a *™ X *^\ u ** 
machine 710. Data register 740 consists of a multiplexer 742, a D flip flop 744. *™°^^ZmJ££j% 
erating a clock signal having four t-states in response to an input clock signal on line 75a ™ 0U * u \«™We™ 742 
is connected to the input of D flip flop 744, and the output of D flip flop 744 is connected to the input of buffer 746 and 
3 t^CteSs of multiplexer 742. The other terminal of multiplexer 742 is connect to an 
Lily asynchronous). Device 748 generates a clock signal on line 752 which controls murtiplexer 742 such thai the 
e*ema! asynchronous signal on line 758 is coupled to D flip flop 744 only at time t1 ^Device 748 also general* a dock 
signal on line 754 which controls buffer 754 such that the output signal of D flip flop 744 passes through buffer 746 only 
at time t3. As a result, the signal on line 756 is synchronized. 
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iv. Internal System rinrit 

[0049] A system clock compatible with PDPS faces a series of design considerations: cost, governmental regulatory 
compliance, printed circuit board area, power consumption and last, but most important, security. The desire for high 
s performance places a premium on clock speed, which is directly proportional thereto. 

[0050] The cost of clocking circuits increases with frequency, and external clocks may represent a sizeable fraction of 
the entire manufacturing cost. The greater the physical extent of the high-frequency circuitry, the greater the high-fre- 
quency EM emissions, resulting in both a problem for security as well as meeting FIPS 140-1 requirements EM emis- 
sions can give surprising amounts of information to sophisticated attackers - by analyzing the power spectrum one 
10 might even deduce which type of algorithm is being processed at any particular time. As compared with an internal 
clock srtting right on the microprocessor, an external clock coupled to a microprocessor cannot be made to comply as 
easily with the FIPS 140-1 EMI/EMC requirements which impose limits on EM emissions. External clocking arrange- 
ments can use significant real estate on printed circuit boards and hence restrict design applications. The desire to 
reduce power consumption favors internal clocks: they can operate at lower voltages than external ones, which have to 
is deal with high outs.de EM interference, and, they have smaller power dissipation capacitances owing to their smaller 
physical dimensions. Moreover, the presence of an external clock allows a potential chip attacker to manipulate the 
clock speed, a factor which may allow it to foil other security devices. 

[0051] Internal oscillators, of themselves, are not novel structures. One can find a programmable internal oscillator in 
Carver Mead and Lynn Conway, Introduction tp VLSI Systems, Addison & Wesley (1980), pp. 233-236. Another exam- 
ple is a phase-locked loop circuit which locks upon an external low frequency reference, as described by Brian Case 
Sony & HDL Detail Embedded MIPS Cores", Microprocessor Report, vol. 7, no. 15, November 15, 1993. This outside 
link through an external reference is completely inappropriate in a security environment, however 
[0052] Referring now to FIG. 6, the System Clock 2 is implemented using a standard 5-clock-cycle shutdown 5-clock- 
cycle enable, state machine once a change request has been detected. The Bus Interface and Decoder 151 selects and 
decodes three types of signals off the Internal Bits 1 0: the internal system clock signal CTTL 34 which is passed onto 
JX^^SS " 35 W3S illustrated in FIG - 1 : a STOP_CLK 166 signal to stop the System Clock 2; and the 4 bit signal 
OSC_FREQ 172, representing the programmed frequency for the Ring Oscillator 156 The OSC_FREQ 172 signal is 
stored in the Oscillator Control Register 1 52. and is fed into the Change Pulse Generator 153. The STOP_CLK 166 and 
PWRGD 27 signals are fed into AND gate 164, the output of which is fed into the Change Pulse Generator 153 AND 
gate 165. the set of entry latches 154. the Clock Edge Prohibit 155, and the resets tor the D flip-flops 159 163 'Thus 
^J^^SL^ Generator 153 detects a change in any of its inputs, it generates a pulse 
CHANGE_DETECTED 167 which is latched onto the latch 158. The D flip-flops 159 163 act as a shift register, prop- 
agating the latched signal from latch 158 down the line in five clock cycles, the clocking generated by RING CLK OUT 
1 70, the .output of the Ring Oscillator 1 56. When the signal has propagated through the last D flip-flop 1 63. it geneTates- 
(i) an OPEN_LATCH 168 signal to the entry latches 154 and Clock Edge Prohibit 155; and (ii) a CLOSE LATCH 169 
signal to the exit latch 1 57 and the AND gate 1 65, thus resetting the latch 1 58. 

[0053] The OPEN_LATCH 168 signal, in conjunction with a high signal from the AND gate 164 will enable the Clock 
Edge Prohibit 155, which is a one-shot trigger generating a SHUTDOWNCLK 171 signal for approximately 120 ns 
allowing a new frequency to be programmed into the Ring Oscillator 156 without introducing transient glitches At the 
same time, the CLOSE_LATCH 1 69 signal will remain low for one clock cycle, resulting in the output SYSCLK 35 having 
a longer duty cycle for one clock cycle, and then the data in the Oscillator Control Register 225 will correspond to the 
output frequency of SYSCLK 35. 

[0054] The Ring Oscillator 1 56 itself will now be described. To compensate for the wide process variations introduced 
in manufacture, resulting in variances in individual clock rates over a wide range, the Ring Oscillator 156 is programma- 
ble to sixteen different frequencies of operation: 22 MHz, 23 MHz, 24.8 MHz, 26.2 MHz, 27.7 MHz 29 MHz 31 9 MHz 
34.3 MHz, 37.8 MHz, 40.2 MHz, 46 MHz. 51.2 MHz, 58.8 MHz, 64.9 MHz, 82.2 MHz and 102.2 MHz. The particular 
nature of the Micro Controller 3. as well as concerns for the operational compatibility with the ROM 7, dictated that these 
nominal frequencies be divided by two before the signal leaves the Ring Oscillator 1 56 and is provided to the Micro Con- 
t roll ©r 3 vis SYSCLK 35. 

so [0055] Referring now to FIG. 7(a). one can see that this aforementioned frequency division is accomplished by the D 
flip-flop 210 whose output is RING_CLK_OUT 170. The OSC_FREQ 172 signals are supplied in pairs to one of two 
multiplexers MUX1 204 and MUX2 208. The output of MUX2 208 is fed to the D flip-flop 210 clock input and the NAND 
gate 209. The SHUTDOWN_CLK 1 71 signal is fed to the D flip-flop 210 reset and the NAND gate 209 Blocks 201 202 
203, 205. 206, 207 are chains of inverters, represented in FIGS. 4(b). 4(c). 4(c). 4(d). 4(e) and 4(e), respectively 

55 Depending on the state of the OSC.FREQ 171 signals, from (0.0.0,0) to (1.1.1.1). asserted on the multiplexers MUX1 
204 and MUX2 208, the results yield an effective circuit varying in the number of inverters. In FIG 7(b) a chain of 8 

inverters 211 218 is shown, each connected to VPP 24 through capacitors 219 226. These capacitors act to 

swamp all routing capacitance through the circuit. Similarly, FIG. 7(c) shows the corresponding 4 inverter chain with 
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. ,*„ an H M n a ritnrc:23i 234 FIG 7(d) shows the 2 inverter chain with inverters 235 and 236, capacitors 
SEE £ '"SS HQ ^ S'^SiSSSe and 240, but with only a sing.e capacitor 241 attached to 

security breach. 

» Rnal.TlmB Clock. 

[0057] For the reasons disclosed above, as well as an innate temperature variability of ab ^ 3 ^ er 

luua n ror ine presents a secure but somewhat inaccurate timing device, suitable for internal 

rasffl Refer*!, to HO. 1 . ere RTC Oscillator 14 Is designed to produce a 32.768 KHz Signal. RTCLK 29. tnrougn 
nrrr i k ?"ifi from the RTC Oscillator 241 is used to drive the Real Time Clock, as described below. 

without resorting to RTCLK 29. and thus permits testing of the device. rollOVER 34 

rnneii As RTCLK 29 is an external asynchronous signal, the resulting signals SFC 306, SC 307 and ROLLOVEH w 
S o bt trelS by the Ionization Block 303, in the manner of the Silicon Firewall described earher. Thereafter, 
ZSS a n?sc OTriKw be appropriately channeled through the Internal Bus 10 in response to poH.ng by 
The HS^SSi ^^S^SSxS^ 34 signal wi.. be discussed in the context of the RoHover Bit d,s- 

m Accordance with the alarm wake-up feature of the alternative embodiment discussed abovj a Countdown 
EwL 308 (reo resented in ghost) is set by the Micro Controller 3 via counter control signals sent on the Internal Bus 

308 accomplishes a predetermined count, as clocked off the Ripple Counter 302 y*f^ R %J^J2' 
. Lie an ALARM 38 signal in the same manner as described above. In addition, the ROLLOVER 309 signal, passed 
through OR gate 309, may provide the basis of another wake up signal via ALARM 38. 

vl Inverting Kev Storage. 

- T00631 It is desirable to place secret information (e.g.. the decryption key) in the volatile, or generally, re-writable mem- 
515*1 SpS The secret info7mation will be destroyed if power to the SPU is turned off. On the other hand, if the 
^r^nforSplfcS ESSZ memory, an'attacker can remove the SPU and at his leisure and by conven- 
tional means examine the information in the non-volatile memory. 
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KSi i IT 6 * i " f0mation is not loaded int0 the volatile memory properly, an attacker may still be able to examine 
the SPU while system power is turned off and obtain the secret information. This is because the secret ZZ • 

s h ESSE^T" ' at, n n ^ aft6r P0W6r iS tumal When the secret i^rmation is loaded into m^rnoTy 

^SS^I^SST^ CaUS6S Chat9e t0 bUi ' d UP in die,ectric of the memor V cells, v toe Tame 

secret information is placed in the same memory location for an extended period of time the dielectric material mZ hi 

Z T»Z h ? L P ' ' S rem0V6d fr ° m the m6m0ry Ce,ls " Furtner ' il is P ossible to ««Wa"y "«ge" the memory cete 

[0065] One aspect of the present invention is an inverting key storage arrangement wherein the secret keys are oeri- 
odically inverted. As a result, the net average charge across all memory cells is the same, thus leaving , nolLal^of 
a o S «SS ia y " SeleCted K k 5 " ,he die,6CtriC mat6rial * the memory ce,,s wnicn ^ amenab^Tdete^on 9 
SSL USSZTl T nt T inV6rtin9 k6y St ° rage arran 9 ement * implemented in firmware. The 

lT r 7«nn i V ak ! y '"T" 19 r0Ut ' ne WWCh iS 6XeCUted in a P^etermined time, e.g., once every 100 ms. A flow 
wh,ch m ^ es a ^ .nverting routine 802 is shown in FIG. 9. Flowchart 800 contains a decision Wock 8M 

Txecu"^ 

Z^tiiT \? ■ u° exeCUtS thS key ,nverting routine 802 - flowch art 800 branches to block 808 which 
So 1 f S t0 th6 ^ '° b6 diSabl6d - 1116 embedded controller «™ reads the key stored in votatile memory 
2^5 ' T e ,nV u ted ^ 1,16,1 Btoiad teck int0 *** 81 °>- * order to keep track of the 7u3S 

us of toe inversion (..a. whether the key is in a normal or inverted state), a key-inversion statos bit is a«££dE TteL 
rack of the status. After the key is inverted, the status of the key-inversion status brt is changed JSrSSS 

SS.^lISSSS ? ,0CK f 4) - F,OWChart 800 Can n ° W bfanCh ,0 W0Ck 806 10 othe^Sar^outne? 
0067] It .s also possible to implement an averting key storage arrangement using only hardware FIG 10 is a sent 

SS?Ti^ T 820> WhiCh C ° ntainS 3 JK f ' ip f ' 0P 822 and a P' ural *y ° f memory ceSs suS as 
cells 824 and 825. The structure of these two cells are identical, and only one will be described in detail Cell 824 con 
tains two OR gates 827 and 828. a JK flip flop 829, a NOR gate 830. an inverter 831 . anS SSdXSSSSZ 
on line 834 is connected to the clock input of the two flip flops 822 and 829. A Toggle/Load signal n£ on Hne SSt 
used to put the cells 824 and 825 in a toggle state when the signal is at a high value and the cdls in ,a^id stated 
the signal is a a low value. Thus, when the T/L* signal is low. the data on line 839 is loaded irto memory 3 824 JS 
the T/L signal ,s high, the JK flip flop 829 will toggle according to the clock signal on line 834 A read stana on lineSe 

TheTont. onlVS ,e i erm ; nal * ^ ^ "*« ^ the data Stored in *S 

The signal on line 836 indicates whether the output on line 839 is the original or the inverted signal. 

35 vli. Additional Se curity Feature* 

[0068] In addition to the features described above, the SPU can certainly be rendered more secure in any number of 
ways^ For example, the physical coating disclosed in application Ser. No. 08/096,537. "Tamper Sart kSLmc? 
cu.t Structure", filed July 22. 1 993, in the name of inventor Robert C. Byrne, and incorporaS he?e n by SSS Z 
a tamper res.stant structure laid down in a pattern which would cover portions of the SPU but expose Ss so IS 
etching away the tamper resistant structure destroys the exposed portions. Thus, the SPU wouSSS 
sembied or reverse engineered, because the tamper resistant structure would hide the mM^Z^^SSli 

r^a^ 

45 [0069] Another security feature that could prove useful is disclosed in application Ser No 08/ 

Secure Non-Volatile Memory Cell", filed 1234, in the name of inventors Max Kuo an d James Jaffee also 

charge stored wrthm the cell by causing any stored charge to dissipate upon the attempted processing of the cell Thfe 
so %£5E?£gl S r ° le ° f ^ R ° M 7 W ° Ck ' °' >~ * — S ** - SSS Key S 

b. Implementation of tha rtetA^n^ 

i. Photo Detector. 

thP^Li^f 1"^°" re f esin registers or memory ofaVLSIdevice.oftenan attacker finds it fruitful toremove 
toe packaging of such a device to impact such storage devices directly. This facilitates the investigation of the dS 
archrtecture and makes rt possible to probe internal nodes in an attempt todiscovertoe secure information. Such Jck 
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aae removal or de-encapsulation, will thus likely expose the die to ambient light, even if inadvertently on the attacker's 
part Detecting such light could act as input information for suitable responsive countermeasures to take place. 
[00711 The construction of a light-sensitive device can be implemented in many standard CMOS jesses wrthout 
any extra maste or steps. For example, lightly doped N-type material exhibits a conduct** proportional to the amount 

theStetus rSt 11. A plurality of such detectors may be placed at strategic places within the SPU. wh,ch may be 
used to localize and further characterize the nature of any intrusion. 

10 II. High/Low Tem perature Detector. 

[0073] The norma, temperature operating range for the SPU is 0-C to 70»C. ^J^^^^E 
most aoolications might well be considered to be the result of an intrusion attempt by an attacker, as for example, tne 
SgeSX Ending away at the chip's outer layer. A substrate diode, well-known to the art. should be sufficient 
for dSSmperature changes, although any other comparable device known to those of ordinary skill in the art for 
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S a SSSmSZ Register 1 . Nothing in accedence with this invention precludes a multi-bit field charactering 
a tempta^e Sale, or a plurality of such detectors, to characterize any temperature differentials within the SPU. 

ill. pagination Laver. 

[0075] Modern day integrated-cira.it analysis equipment is able to probe the 

power is applied to the circuit. As a result, it is possible to detect a key. or other secret data for that matter which is 
sTed n Stile memory. One way to protect the secret key is to cover the key with a metal layer which is able i to deflect 
ProlSg signals directed thereon. However, this metal layer could be removed or altered fairly ea sHy by an attackerX on - 
sequently protecting the key through the use of a metal layer, as contemplated in the pnor art, is ather "n***^ 
SraT One way to enhance the security of the metal layer is for the SPU to contain means for detecting any alteration 
mSayer the key. J any particularly sensitive data for that matter. The SPU can then teke actions 

metaitraces shown in FIG 1 1 as parts 852-857. Each trace is connected to an output pm of a latch 860 ana an mpui 
Toi H*h 86 T^ese two itches are connected to the system bus 868. which is in turn connected to the Mm Con. 
S.e and^ e memo^ey are also connected to the Status Register 11 . Traces 852 and 853 p. > over a first area 
864 traces 854 and 855 pass over a second area 865, and traces 856 and 857 pass over a third area 866. 
foOT^S a systS, bus cycle, the individual output pins of latch 860 are driven to either a bg,c high o. a k*.c lo* 
depending on?he value of a random number generator (either implemented in hardware or ^^>^^*l5. 
ttaces 852-857 should be set to a corresponding logic high or a logic low value. At a later bus cycle, latch 862 latches 
^!^S£StSmm 852-857. If any of the latched logic levels are different from the log,c level orig.na.ly driven 
by latch 860, it is assumed that an attack has been mounted on the SPU. 
40 [U078] Another embodiment of the invention is shown in FIG. 12. The metal layer ,s ^ ^"^^^ 
traces shown in FIG. 12 as numerals 902-904. These metal traces are connected to a logic high potential. FIGJ2 a so 
conSnfa plu alKy of AND gates, shown as numerals 906-908, and a plurality of memory cells 913-916. Each of the 
AND^g?tes 906^908 has one'inpui terminal connected to one of the traces 902-904 and one output germinal connected 
to one'of tbe power lines 910-91 2 of memory cells 914-91 6. respectively. ^**™^^?^?^^ 
908 are connected to power lines 909-91 1 , respectively. These power hnes 909-91 could feed off VPP 24, for example^ 
[0079] When the metal traces are in their normal condition, i.e.. connected to a logic h,gh P** n f • *° '"P* s * 
AND elates are in a logic high potential. Thus, all the memory cells are powered by the outputs of the AND gates How- 
eVer S any oTe of *e ™tahra?es is removed, the output of the corresponding AND gate wil. be changed to a logic lov, 
wS tumsoff the isociated memory cel.. Since the output of an AND gate is "^J^^lSS^ 
AND qate the output of the adjacent AND gate becomes a logic low, which turns off the memory cell asscK5.atedw.tr. 
fhe a£enVANDgate This sequence of events propagates until all the outputs of the AND gates become £ tog^ovv 
A?a rSuVal. the memory cells are turned off resulting in the destruction of the data stored therein. Th.s embodiment 
hops not reauire anv action of the Micro Controller and could amount to a last-ditch defense. 
S5T EE enHment of the invention is a LATN cel., shown in FIG. 13 as 920. ^™ cel. ^ 
fetch with a weak feedback path so that any intrusion in the cell will cause the ^ 
is aoDlied to a transmission gates 924 and. through an inverter 926. to another transmission gate 924. As a result oniy 
gate! is turned on at a time. When transmission gate 922 is turned on a data signalon line 927 
pail through an inverter 928 to output inverters 929 and 930. An inverter 931 is connected to inverter 929 in order 
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to provide an inverted output. When transmission gate 922 is turned off, the data signal is no longer connected to the 
t^mission e glte H 924 Ver ' ** ***** "* beCauSe of the ,eedback Provided by an inverter 932 and 

[0081] One of the important features of the LATN cell 920 of the present invention is that the feedback inverter 932 
has weak output power. Thus, if the LATN cell 920 is exposed to radiation introduced by a probe, the feedback path is 
broken and the output value of LATN cell 920 would not be maintained. ^ 
[0082] In all of these embodiments, the outputs thereof could be used as detectors, as symbolically represented by 
Metallization Layer Detector 18, feeding their signal through the Silicon Firewall 20 to the Status Register 11 It should 
not be ignored that the Metallization Layer itself provides a passive defense to probing, as discussed below. 

iv. RTC Rollover Bit and the Clock Int egrity Chock . 

S 00831 , lt .ut discussed above - the Real Time clock 5 "ses a 32.768 KHz crystal to drive a Ripple Counter 248 which 
I ee clM tim6 ' Were 006 t0 rep ' aCe thiS crys1al with a fre£ » uenc y source several oiders of magnitude higher while 
the SPU is operating under battery power only, one could conceivably roll the counter over a predetermined number of 
pulses to the point where, when system power is reapplied, the Micro Controller 3 would not be able to detect that any 
discemable amount of time had passed since the previous time it was turned on. The implications for various applica- 
tions is serious, as for example: metering information, where the time the information was actually used and the time 
subsequently charged for such use would have little bearing on each other. 

[0084] Prior art solutions to detect clock tampering have the drawback that they require the entire system to be always 
tip and running; typically, however, in order to minimize power consumption in times of non-use. most of the system is 
powered down while the real-time clock continues to run from batteries. Thus, the problem is to create a mechanism 
that can detect tampering of a real time clock without the use of the external system, such mechanism to be contained 
wholly within the real time clock for security reasons, and be a minimal drain on the total power 
[0085] In the present invention, referring to FIG. 1 . this problem is solved by the provision of a rollover bit in the Status 
Register 11, set by the ROLLOVER 34 signal. This rollover bit is configured to be read/write mask. i.e. it can only be 
cleared by writing a one to it when it already is set to one. and this write may only come from the Micro Controller 3 a 
feature which enhances security. The Rollover 34 signal is generated by the Real Time Clock 5 described above The 
32 bits of the SC 305 output, as per FIG. 8. represents a carry-over at 2 32 cycles, corresponding to about 136 years 
when operating in conjunction with a 32.768 KHz crystal. This is well within the contemplated lifetime of any SPU prod- 
uct. Even clocking the circuit at something like 32.768 MHz, three orders of magnitude higher, were this tolerated by the 
oscillator circuitry would result in a rollover after every 49.7 days, a long time for a would-be attacker to wait and even 
hen such attacker would be foiled by the rollover bit feature, as a rollover should never occur within the contemplated 
lifetime of the product, as just discussed. Resorting to a second rollover would not work, as the rollover bit cannot be 
cleared by a second carry-over, as just described. 

[0086] This approach has the advantages of its low cost of implementation, the small amount of SPU real estate it 
r^ol eS> and ' 1S com P atibilitv with a s'mp'e ripple counter architecture, yet not inviting additional security risks 

The security offered by the RTC Rollover Bit is supplemented by a general clock integrity check as shown in 

fj „ { ?l pr0C9SS b69inS at &ep 551 by reading *** from RAM 8 - or some special register, a prior readout of 
the Real Time Clock 5 stored by this process 552. A monotonicity test is performed by comparing the present time with 
the prior stored reading 553. If the present time is less, a security problem has arisen and is signalled 560 and the proc- 
ess should then terminate 558. If the present time is indeed greater, then it is stored for a future monotonicity test 554 
Next, a fixed benchmark performance test is conducted 555; many of these types of tests are well-known in the art and 
need not be alluded to here. The important thing is that such test take a given number of system clock cycles CTTL 25 
such length established during production time testing or alternatively, clocked at run time for the given number of 
cycles. At the completion of the benchmark test, the completion time, as measured by the Real Time Clock 5 should 
be stored 556. Thus, the benchmark test elapsed time, as measured by the Real Time Clock 5, can be calculated and 
compared with the number of CTTL 25 clock cycles. The initial calibration of the System Clock 2, that is the setting of 
its operational frequency, should provide the necessary conversion factor between the Real Time Clock 5 and the Sys- 
tem Clock 2, allowing such a comparison. As described earlier, the System Clock 2 also exhibits a considerable degree 
of variability with temperature; thus, the time comparison should take into account some operational tolerance 557 If 
the comparison falls outside this tolerance, the security problem should be signalled 559. but in either case the process 
would then terminate 558. K 

55 v. VRT Security Bit and the Po wer Integrity Ch*<*k 

[0088] The VRT Security Bit is provided to inform the system that both the battery and system power have simulta- 
neously dropped below an acceptable voltage, for example 2V. When that occurs, any volatile storage information, as 
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well the time count in the Real Time Cock 5 may be lost. References to RAM 8 in this context will I * <^ * 
off-chip RAM powered by VOUT 23. Referring to FIG. 1 , the VRT bit may be .mp emented as a special brt* 'the Status 
Register 1 1 with voltage dejection circuitry tied to VPP 24, such as pull-up or pull-down resistors designed to make the 
SSH^iZ absence of sufficient votage. Thus, the VRT bit is cleared by the 
Micro Controller 3 via Status Read/Write lines 36. The VRT bit is used in conjunction wrth 

tion detection codes on the RAM 8, to perform an overall integrity check on the ^ttery-backed sec, l0 n^ a h ? a ? t from a 
modification detection codes may be any one of an assortment of suitable codes, as ^S^^^JSl 
simple checksum, to a cyclic redundancy check (CRC). to more elaborate algorithms such as MD5 owned b < RSA Data 
SeTuritrfnc., each affording different levels of security, compactness and error recoverabilrty For example a simp^ 
checteum whi^ > easy to implement, allows a large degree of freedom for an attacker to overwrite the contents of RAM 
8 S pTeservfng tne same overall checksum. Whichever modification detection code is used, the code result is con- 
ventionally stored along with the RAM 8 it is measuring. , t fc .... 

[0089] WithreferencenowtoFIG.14(b).thegen 

s cowered up the Micro Controller 3 performs the necessary inrtialization operations on the SPU 252. Then, the M cro 
ConTolf 3 Pol s he Status Register 11 to ascertain the state of the VRT bit 253. If the VRT bit is set to 1 . a modr,.cat,on 
detection operation on the RAM 8 is performed 254. Then, the SPU determines if any modrf.cat.on has been detected 
SiUf not. the SPU is said to be in its normal operating state, and thus should only .mplement commands that give 
restricted access to its secret data 256, and the process then exits 257. 

[0090] If a modification has been detected, the SPU is in an error state and so the securrty problem ,s s.gnalled 258 

20 S£>?] e « r £e e VOTWt "Jet to 0, a modification detection operation is also performed 259. If no modification is detected, 
the SPU is in a secure, albeit low power state; in other woids. although the RAM 8 presently checks out, the power can- 
not be trusted and so this problem should be signalled 261 and the process exits 257. 

m Finally, there is the scenario where modrfication was detected, yet VRT is 0 - th.s modrf.cajon detection is 
spurious as the RAM 8 is in a random configuration, i.e. it is said to be in the manufacturing state The «^"0J" 
description of a response taken in one embodiment of this invention, and should not be read to preclude any numbe of 
possible responses in this state. In this one embodiment, the SPU could zeroize a secret data i^rtuNta 
default operational configuration parameters, such as the lowest System Clock 2 oscillator hqw JjJiZSS 
in the ROM 7, to operate in the most trustworthy state 262. The SPU then could enter a mode whereby ™nufactur,ng 
ests may be performed and the configuration parameters may be set 263. Then, any manufacturing tests may be per- 
formed in order to guarantee the reliability of the SPU 264. Once those tests have been made success fully t he secret 
data, such as the keys, may be loaded, and a modHication detection code performed on the ent.re , contents of RAM 8 
and stored therein 265. Finally, the SPU will set the VRT bit to 1 . putting it into the normal operating state 266, after 
which the process may exit 257. 

vl. Bus Monitoring Prevention . 

[0093] With PDPS one is concerned with protecting secret information which, among other objectives, implies thwart- 
ng any attempt to monitor the internal data transactions that carry secret information. It is axiomatic that a device .incor- 
porating PDPS must have input and output ports, taking in data, performing operations on this data using the interna, 
secret information and then outputting the resulting data. If an integrated circuit could be altered in such a way - * a the 
secret information contained in the device could be extracted through an input or output port, or if a random failure 
within the device caused this to happen, then the PDPS system would no longer be secure. 

[0094] Prior solutions for keeping secret information have involved restricting such information to within the confines 
of a single integrated circuit chip, thus preventing an interloper with standard evaluation tools from monrtoma mter-ch p 
data traffic and thereby discerning the secret information. This confinement approach required a high degree of chip 
integration, in order that all functions needing the secret information are implemented on the same piece of silicon. A so. 
input and output ports of these integrated circuits would need to be disabled while secret information was being inter- 

[MOS^ThTSor solutions relied on the difficulty in modifying already complete manufactured integrated circuits. This 
is no longer the case, as semiconductor evaluation tools have drastically improved in their sophistication and capabili- 
ties. It is now possible to modify parts of an integrated circuit without damaging the other parts or the chip , sovem^ func- 
tion Thus, a device which would keep its secret information on internal buses only, could now be modified to transfer 
that information to its input or output ports. This is a lot easier to implement than .«^^h£^ 
into the internal bus. It should be repeated that even random failures wrthm an integrated crcuit have beer know i to 
result in a similar scenario. In both cases, therefore, monitoring the input and output ports would allow the secret infer- 

[0096] ^Vb^siTon which to combat this problem, in the present invention, is to create a mechanism internal to the 
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chip that verifies that the original design of the input or output circuitry has not been modified by either an attack or ran- 
dom failure, before bringing out any secret information onto the internal bus. This is accomplished by interrogating crit- 
ical circuit components to ensure that they are intact and functioning correctly. The detection of a security breach could 
thus be acted upon accordingly, but at the very least, the bus should be disabled from bringing out any secret informa- 
tion. Also, the secret information should be brought out in several pieces, which has the virtue that, were a random hard- 
ware fault to occur precisely when secret information was brought onto the internal bus, then only a small and probablv 
useless portion would be compromised. ^ ' 

[0097] The SPU contains ports that allow data to be transferred from an internal secure bus to external buses The 
implementation is brought about, in one embodiment, with special circuitry that is added to the input/output ports and 
special routines in firmware that are executed by the internal Micro Controller. The internal Micro Controller keeps an 
internal copy of the last data written to the output register of that port. The internal Micro Controller reads the contents 
of both the input and output registers; typically, only the input registers can be read by the internal Micro Controller 
Before bringing secure information onto the bus, the Micro Controller interrogates the port to ensure that the last valid 
data written to the port is still in place; otherwise, the Micro Controller does not bring secret information onto the bus If 
val.d data is in place, then a portion of the secret data is brought onto the bus and transferred internally as necessary. 
The port is again checked to ensure that valid data is in place in the input/output port's output register. If the secret data 
or any other data, is detected in the ports then the Micro Controller does not bring any other secret information onto the 
bus. This is continued until all secret information is transferred to its internal destination. 

[0098] It should be noted that the use. or non-use, of the Bus Monitor is a process controlled from firmware. Referring 
to FIG. 15. this process shall now be described in detail. Upon the Start 320. the Micro Controller 3 determines whether 
secret data needs to be transferred onto the Internal Bus 10 in step 352. If not, data may be transferred on the Internal 
Bus 10 in the conventional manner 353. If secret data is to be transferred on the Internal Bus 10, the Micro Controller 
3 reads back the output port registers 354, and stores them in temporary storage 355. In one embodiment, before 
secret data is moved onto the Internal Bus 1 0, non-secret data is sent over the Internal Bus 1 0 as a test 356 The output 
port registers are again read back 357. and compared with the previously stored read back 358. Should they prove dif- 
ferent, the process aborts and signals the security problem 325 and exits at step 362, but if they are the same the proc- 
ess may proceed, as part of a loop, to determine whether any and all parts of the secret data have already been 
transferred on the Internal Bus 10 in step 359. If not. the next part of the secret data is moved on the Internal Bus 10 at 
step 360 and then the process loops back to step 357 to read back the output port registers again. If all parts of the 
secret data has been transferred, the process loops back to step 352 to control further data transfers on the Internal 
Bus 10. 

[0099] This approach has the virtue of relatively low cost implementation, without any special semiconductor process- 
ing. It also guards against combined physical and electrical attacks, as well as random failures. This system by being 
implemented in multiple blocks within the integrated circuit, in conjunction with firmware operated by the Micro Control- 
35 ler, would be expensive and difficult to reverse engineer. 

vii. Trip Wire Input. 

[01 00] Many of the concerns regarding attack on the input/output pins of the SPU, described above in the context of 
40 the Bus Monitor Prevention, may be addressed through monitoring of just these pins, providing cryptographic alarms or 
L n ,K, W ^ S 1° jUSt th0SS Wnd * attackS> An attacker ma y be monitoring any given pin, to determine its functionality. The 
PINs 32 of the I/O Port 1 , being programmable, are ideally suited to detect any such unexpected read or writes Fur- 
thermore, they may be used not only to detect an attacker usurping these PINs 32, but may also be used as inputs from 
off-chip external detectors, such as a battery of photo detectors arrayed inside a PCMCIA card. 
45 [0101] With reference to FIG. 16. the process that begins at step 401 will now be described in detail. A given bit the 
Xth bit, on the I/O Port 1 is set to a 1 402. The process waits until the operating system has determined it is time for the 
I/O Port 1 to be checked 403. This should take into account, for instance, when such pin needs to be used for regular 
I/O operations. When such time arrives, the Xth bit is read 404 and checked if it is still a 1 405. If so. the process may 
return to its wait state at step 402. Otherwise, the process aborts and signals the security problem 406. and the process 
so exits 407. 

viii. Software Att ack Monitor. 

[0102] One of the least expensive ways to defeat the security system in a hardware device (which may contain a plu- 
55 rahty of components such as a microprocessor, PAL's. etc.) is to mount a random data electronic attack on the hardware 
device. Specifically an attacker could send signals (which may be commands, data, or random signals) to the input pins 
of some of the components in the device and monitor the output pins of the same and/or different components This 
kind of attack requires little or no special hardware, and the attacker may be able to learn confidential information con- 
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tained in or protected by the hardware device. 

101031 A tvoical attack strategy is now described. An attacker would monitor the hardware and software operation o 
K^iSto during normal operation. As a result, the attacker could determ.ne the norma 
££Z Sure of theprogrammable components in the hardware device. The attacker would men 
5 own command sequences (e.g.. by slightly modifying the commands or the ^ a ^^° re - 

entirely different commands) based on the information obtained. The react.on of the components to JJweoommTO 
sMuencesrthe?recorded as thus building up a "characterization database." As the operation of the •components 
bSmTurSeSc^he signals sent to the opponents are no longer random but are designed to identify commands 

orocessor will receive a large number of invalid commands, at least during the initial phase of the attack. Consequ enfly. 
ZZSmZ!^**** is for the SPU to detect the occurrence of an excessive number of .rival. 
and ^ate^ropSraSons to defeat or hinder the attack. One should bear in mind that some perfectly innocent 
^^SSTt^l^ commands, as for example, when a computer upon boot-up -nterrogates a.l 

20 tS^SSS^t^V«^ ** the SPU to set several limit parameters, each having an associated 
a*ion ]^!^££!£* which includes four limit parameters. Note that the number of 
TsTu^trative on'y and any number of limit parameters may be used. The flowchart begins at step ^d them sets the 
£fc£^f£* of the four limit parameters 942. The flowchart then branches into a loop cons.st.ng of blocks 946-96* 
, 5 SS In Nock 946 *e SPU determines whether a command is valid. If the command is valid, it is processed in the 
Sr manned block 94^) The flowchart then branches back to block 946 to fetch and examine another command. I 
l^nr^^\^JM M^9W goes to block 950. which calculates the number of invalid command per unit 
me Zresu o ^ 

imitp^ameler ?hen no temper-reactive action is taken, and the flowchart branches back to block 946 to process the 
Z commaS If the result is larger than the first limit parameter, the process generates a signal indicating a first .evel 

I Second ^limiCameter ! the number is less than the second limit parameter, then no additional action is taken, and 
fow^9^^^ 

limit oarameter the process generates a signal indicating a second level security problem (block 958). 
ZSTSiSSSS then branches to block 960. which compares ^^^^^^ 
with a third limit parameter. If the number is less than the third limit parameter, no additional actor 
Sart 940 branches back to block 946 to process the next command. If the number « ^arger than the third limit param 
eter the Drocessaenerates a signal indicating a third level security problem (block 958). 

t oT tSSSZ 940 then'branches to block 964, which compares the 

with a fourth limit parameter. If the number is less than the fourth limit parameter, no additional action s ww^aMTHw 
ctenw SZZIL* to block 946 to process the next command. If the number is larger than the fourth limit param- 
eter the process generates a signal indicating a fourth level security problem (block 958). . ... . niis 

SSl] K °s bourse up to the supervisory program to decide what steps to take in response to signals of the various 
limit security problems. The SPU can be programmed to take any or all approbate actions. 
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p. Program mable Security. 



[0112] The Programmable Distributed Personal Security System is based on the orchestration of three » conceptuaHy 
St. buJ nonetheless, interrelated systems: (i) detectors, which alert the SPU to the ^^^^SbS 
the nature of an attack- (ii) filters, which correlate the data from the various detectors, weighing the seventy ot tne anacK 
£££ rLk tote SPU's integrity, both to its secret data and to the design itself; -^ 2= es v£ch 
termeasures. calculated by the filters to be most appropriate under the """I*™" ■* ef u ^SS 
present. The selection of responses by the filters would be said to constitute the pohc <rf SPU The p esent nven 
ton permits a wide capability in all three of the detectors, filters and responses, allowing a great degree of f lexiowty 
programming an appropriate level of security/policy into an SPU-based application^ arc hitec- 
?011 31 The effectiveness of this PDPS trio is enhanced significantly by the other design features of the SPU architec 
Ere Lbs LteS S example: the Power Block 13. Power Isolation 13. Silicon Firewall 20. System Clock 2 and 
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Real Time Clock 5. and the Inverting Key Storage. Although the implementation of some of these features creates secu- 
rity barriers, which do not strictly fit into the detector/filter/response paradigm, the presence of these barriers certainly 
slows or even thwarts an attacker's progress, allowing for more time to detect an attack, filter out the characteristics of 
such attack and thus make a more measured response thereto. 

I. Detection. 

[01 1 4] A wide variety of detectors have already been disclosed -- some implemented in hardware, others in firmware 
Some may bear witness unambiguously to an actual physical intrusion into the SPU, such as the Metallization Layer 
Detector 18; others such as the Photo Detector 16 may be triggered by noninvasive means such an X-ray of the SPU 
or by very invasive means, such as the actual de-encapsulation of the chip. Again, the purpose at this stage is not to* 
moveon" °° T ^ coordinate a " related irrf °™ation; it is simply to report the detection and 

[0115] Referring to FIG. 18, the process of how detectors are generally handled will now be described. The process 
begins 451 by a decision of whether the detector signal is generated by hardware or firmware 452. The exact nature of 
how this step is taken is unimportant. Here it is represented by an interrupt generated in the Micro Controller 3 but it 
could just as easily be based on some periodic polling of registers or any other equivalent method well-known to prac- 
titioners m the art. Even the distinction between firmware and hardware detectors is at a certain level irrelevant as the 
Pa n!S« f e ! ent m FIG ' 18 shows - lf tne interru P t was generated by hardware, the Status Register 1 1 would then be 
polled 453. In this implementation, the key to determining whether indeed any hardware detector was activated was that 
one or more bits of the Status Register 1 1 should have changed from the last time it was read 454. If so, the SPU could 
then take actions as dictated by its programmed policy 455. If not, either an error has occurred owing to a false detec- 
tion or certain operational features are in play, such as the signal owing to a periodic wake-up of the SPU under battery 
power. In either case, action dictated by policy, given such an error or feature, should then be taken 460 Alternatively, 
at step 452, had the signal originated in firmware, the process would set about determining the routine generating it 
461 . If such routine proved to be a valid one 462. again action should be taken as dictated by policy 455 Otherwise 
action consistent with this error or possible feature should be taken, again as dictated by policy 463. All the aforemen- 
tioned scenarios thereafter converge. If, in accordance with one alternate embodiment disclosed herein an alarm 
wake-up capability is provided, and the process was invoked owing to such an alarm 456, the process would then gen- 
erate he SLEEP 41 signal 459 and terminate 458. Otherwise, the process would return from interrupt or whatever 
housekeeping required in accordance with the particular implementation used 457 and then terminate 458. 

ii. Filtering. 



40 



45 



[01 16] The programmable filtering process lies at the heart of PDPS; without it one merely has hardwired and indis- 
criminate responses to various attacks. With reference to FIG. 19, this process itself consists of two stages- (i) correlat- 
ing signals produced by the various detectors to ascertain the attacks involved (FIGS. 19(a) 19(b) 19(c))- and (ii) 
based on the attacks involved, to select an appropriate response (FIGS. 19(d), 19(e), 19(f)). There are, of course oper- 
ations factors involved at both stages of this process. These factors may be static and intrinsically related to the type 
of application, the architecture of the SPU. etc.. or they may be dynamically varying and related to, for example- (i) the 
prior history or frequency of detected signals, responses, or all events; (ii) the present state of the SPU; (iii) the present 
stage or mode of the application; (iv) the potential harm a given attack may represent; or (v) combinations of factors or 
r^t 0 ^ example ' comin 9 ,rom a g iv en set, occurring in a particular order, or occurring within a fixed time frame 
[0117] The conditions whereby the detectors are correlated are as follows. In FIG. 19(a), a false alarm condition is 
shown. A signal is detected, D a 501, without corresponding to any real attack, Ao 502. There are various means by 
which such a false alarm could be discerned. For example, the detector producing the D a 501 signal could be polled 
once more to determine whether the first reading was spurious or not. Alternatively, it may be inferred from the state of 
other detectors. Such a scenario will be discussed in the context of FIG. 19(c). FIG. 19(b) demonstrates an opposite 
exfreme where a signal D b 503 corresponds unambiguously to one attack, A„ 504. However, most attacks will be char- 
so actenzec I as in FIG. 19(c), where each of one or more detectors. D c1 505, D c2 506 and 507. in conjunction with zero 
or more factors, F c1 508, F c2 509 are required to fully characterize a given attack, A<. 51 0 

L° 1 2S • T ^l S !'^l 0n ° f res P° nses t0 attacks ,aM ir *° t"e following categories. There is. of course, the non-response 
R 0 51 2, in FIG^I 9(d). whereby no action is taken for a given attack. A,, 51 1 . This may owe to a lack of capability, a delib- 
erate design choice, or an application decision. In FIG. 19(e), analogous to the unambiguous condition of FIG 19(b) 
55 there is the unconditional response R e 514 to an attack A, 51 3. This may represent a last-ditch scenario, where all outer 
defenses have been breached and some unequivocal and serious countermeasure needs to be taken. On the other 
hand ,t may also be an application decision. Finally, in FIG. 19(f). there is the general scenario where one or more 
attacks, A» 515. A G 516, in conjunction with zero or more factors, F„ 517, F fi 518, F f3 519. must have been or are 
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present, in order to select the response Ft, 520. 

[01 1 9] By custom tailoring the correlation of the detector signals, as well as the selection of the responses, a program- 
mable security system can be application- as well as environment-specific. 

iii. Responses . 

TO1201 The final system of PDPS involves the provision of a wide variety of responses, to allow for a rich and full set 
^SLmZ^S!^o«Kt^ attack scenario. These responses can be categorized into five major groups: i) 
SSn^M^^ M restriction of access; and (v) destructive. Examples of each are given ,n 
TABLE I, which is meant to be an illustrative, but by no means exhaustive, list. 



TABLE I 



Examples of Typical Responses 




Passive 


Alarm 


Decoy 


Restricted Access 


Destructive 


• Non-response 

• Log attack inter- 
nally 


• Signal local compu- 
ter 

• Signal remote com- 
puter 

• Set I/O Port pin high 


• Random command 
response 

• Random external 
bus activity 


• Disable SPU for 
period of time 

• Require recertifica- 
tion 

• Disabling use of 
keys, passwords 


• Destroy keys 

• Destroy secret data 

• Disable SPU per- 
manently 
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T01211 A oassive response would be one where the SPU conveys no external signal, nor functions in any observable 
manner i^ZTnor™! mode of operation. This would of course include the classic "non-response d.s- 
russed earlier but also an on-board logging of the attack with, its type, timestamp, context, etc. 
S An LmConse would indeS convey an externally detectable signal. The SPU may s gnal the , caHing app - 
cation for instance, to alert the user that the SPU is aware of the attack and may have to proceed to ^ore drastic meas- 
ures if such attack is not discontinued. In a situation where the SPU is connected via a network or modem to some 
mSitorCcoCute' as^fo example, in an information metering context, the SPU may signal that remote computer to 
SSatTe iS use; is attempting to attack it. On the hardware level, an alarm may be .mplemented amply by setting 

tl^^Z^il^^ from the normal mode of SPU activity. It may indeed mimic valid SPU 
S £t£L 3c . be to execute SPU commands, or to generate signa.s on the Externa! Bus Interface 9. erther 
selected at random or from some predetermined set. oneration 
[0124] A restricted access response would be to disable some functions from the normal mode of SPL 'operation. 
Exa^les inSe disabling the SPU totally for some period of rime or until recertified in some manner, or disabhng 

S^Xre^s^e^nse. which disab,es functionality of tije SPU 

include destruction in memory, by erasing keys or other secret data, or permanent physical d.sablement. such as the 

burning out of internal fuses. 

d. Attack Scenarios. 

[0126] Now that the overall structure of the invention has been laid out, it is fruitful to describe in detail the various 
Sscenarios, the manner in which they are conducted, the information or effect they w,sh to achieve or the 
desiqn features of the SPU that would thwart such an attack, factors that are relevant in reacting to such attacks, and 
SS "2S^£^ to such an attack. A summary of the applicable disclosed SPU 
rSnsesTs to be found in TABLE II. These scenarios are by no means exhaustive, but merely illustrative. All further 
references, unless specified otherwise, are to elements of FIG. 1 . 
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Summary of Attack Scenarios 


/^udv*r\ iyps 


SPU Protective Feature(s) 


Triggered Detector(s) 


Suggested Response(s) 


Electrical Attack on I/O 
Ports 


• Silicon Firewall 20 

• Alarm wake up 


• Bus Monitor 

• Trip Wire Input 

• Software Attack Monitor 

• Metallization layer detector 
18 

• Photo Detector 16 


• Random command 
response 

• Random external bus 
activity 

• Disable SPU temporarily 

• Disable SPU permanently 


Clock Attack 


• Silicon Firewall 20 

• System Clock 2 

• Real Time Clock 5 


• RTC Rollover Bit 

• Monotonicity test 

• System/Real Time Clock 
cross-check 

• Temperature Detector 17 


• Use other clock 

• Disable metering func- 
tions 


r\ey ttnacK 


• Battery-backed RAM 8 

• Metallization layer 

• Inverting key storage 


• Metallization layer detector 
18 

• Bus Monitor 

• VRT Security Bit 


• Disable use of keys 

• Destroy keys 


Physical Attack 


• Physical coating 

• Metallization layer 


• Temperature Detector 17 

• Photo Detector 16 


• Disable keys, secret data 

• Destroy keys, secret data 


Combination Attack 


• Any/all of the above 


• Any/all of the above 


• Any/all of the above 


User Fraud 


• Silicon Firewall 20 

• Power Block 13 


• RTC Rollover Bit 

• Monotonicity test 

• System/Real Time Clock 
cross-check 

• VRT Security Bit 


• Signal Local Computer 

• Signal Remote Computer 

• Disable metering func- 
tions 

• Require recertif ication 



I. Electrical Attack on I/O Par\$ 
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[01 27] Arguably, the simplest form of attack would be an electrical attack on the I/O Port 1 . This type of attack requires 
very little special hardware. The attacker simply uses the same system configuration that is used in the normal applica- 
tion, however instead of using the intended software, the attacker creates his own code to interrogate the device The 
attacker could go one step further and place monitoring equipment on strategic points in the circuit, as for example the 
SP U pins or PAL outputs. This would allow the attacker to more thoroughly characterize the chip in its normal operation 
and when it is under attack. K 
[01 28] The typical approach would be to monitor the hardware or software for some period of time during normal oper- 
ation. From this the attacker could determine the normal command sequence. After this characterization, the attacker 
could then create his own command sequences based on the information he has obtained. He could try to slightly mod- 
ify the commands or the command operators to get the device to perform different functions. He might also try to issue 
commands that he did not see before to see how the device would react. All during this process the attacker would be 
recording the responses to the different stimuli. As patterns are detected, the data that is issued to the device is no 
onger random but designed to further evaluate the particular operation. This continues until a particular operation is 
fully characterized. It would be the attacker's intention to identify commands or responses that could defeat the overall 
system. For example, the attacker might be looking for a reset operation command, and could then issue such com- 
mand at inappropriate times. 
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b^Scfr^^^ 

Srandom responses, « eventual MMM « the SPU 
II f >r.k Attack . 

[0 130] Manyapp,ica«onsofthe^^ 

"on leringXever, the Real Time ^^"SS J- Real Time Clock 5. The SPU Is 
substituted to modify the frequency of the f0^.f R Xe Clock 5 against the System Clock 2 to see 
designed to perform integrity tasks. ^ JStfmrt these integrity tasks would be , per- 
il it is operating in the correct range ( F1G J* (a ». ° er VD D 22 is removed, when only the battery-backed 
formed only when the entire system ,s {^J^S^Tan attacker could attack the external cryste. 1 5 * 
Real Time Clock 5 remains operational It is a ^ °PP«W an ^ advance the 
out immediate detection. As the Real ^ e ^^ u ^ime X run the clock forward to whatever given t,me 
counter until it rolled over. Subsequently the attacker ^ "JJJJ f used ^ by arn unscrupulous dealer, 
reading he wished. This is analogous to the resett.ng of Real Time c , 0 ck 5 buffering the time signal 
101311 The inaccessibility of the Internal System Clock 2 to attacK are i clock/Real Time Clock 
Khan interna. Silicon Firewall, certainly stand ^ 

crossWkof FIG. 14(a) would detect any *^^pproach away, as well as a clock cross-check, 

ing or heating the SPU. the Temperature Detector 17 would give sue PP Furthe rmore. an attacker attempting 



be to disable all metering functions, 
ili. Key Attack. 
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Th*s is 

[0132] Secret information is stored in volatile^ 

done to prevent an attacker from gaming are stored in volatile memory within a chip, 

ing" the schematic. However, when keys •^^^^SLt» memory which may reveal the content 5 stored 
one can deprocess the chip and detect residual charge in i to ^ a ^ causing tne data 

herein. The act of deprocessing would cause « tne v0,ati,e mem ° ry 

wL the memory to be lost as *«° h *;° P° rtion ° f m8m0 ' y ^ 5"£ 

the same data for a protracted period of ^^^^^ be possible to artificially age the memory device 

Sy residua, charge. The ^capsu^ ^ er was cut The protoC o. of 

ligation laver and the Metallization Layer detector 18 would oeser on™ ^ (ntemal Bus 

thesis Monitor Prevention (FIG. 1 5), transferring only to t0 ^ 
lOv^Whindert.^^ 

iv. Physical Attack. 

,0,34, -™n,,^v»d™^ 

ayoul can Mad on. experienced in lire art to «» m " 8 "'?'* ™J ^rftoes^aertorrtoer and prior chips «h.re- 
SLtod. Recognizing M P-W- ... lMJ «""5££3Ed»n randomly; o*.rs such as RAM and 
horn, can also aid in th. caution ot fcnctomlW 8°™^"™** meartIlg M i a ,g. areas of a 
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These devices are ostensibly used to ^Z^^u^^ 6 - .T" ° n the inte9ra,ed ci ™«* ■«*». 
reconnecting the logical gates in a m^^S^^SS^^S that COnnect ,0 9 ic *** and by 

5 and less difficult to modify an existing Sport * "* d0Wn intemal probes: howeva '. it is less cosfy 

EU h ; 0 r k e 0 dS 

nodes wrthin the SPU. Such an B^^o^^^TSiT 1 ^ 0 M * 3 COnnection of a te * P™be to 
and running the altered circuit live i^Z S^^^S"?" ^ DeteCtor 18 ' the Photo Detector 16 
« 15). The same responses as given a^w^^ 

through grinding can create enough heat to trigger Z^^^T^t 1,16 "** «* of ^-encapsulation 
and aga.n, unless done in total darkness exoosureS J ^ 17 as we " as set off a vibr a*'on detector 
'-oyir^eKeysar^e^ 

75 v> Combinat ion Attarlc 

resolving the operational characteristics thereof ZZ^nrl ^ T rt difterent P 808 of »>• °hi P , 

would only serve to slow such a machine down The nSnt Tn 2?C" thr °, U9h 3 Meta,,i2a «°" «W however, this 
thus uncover previously secure areas. The attacker XZZZT UMd t0 Meta,,iza «°" Layer and 

Layer before attempting to access secret Tnfo^mSn * reC0^neC, "* ^ fraces in the Nation 

[0138] This attack would be slowed by practicallv evaru «?pi . nr ~>~*- x 

toned detectors, and could certainly be ISSSSS, ' ^ W » ir praCtical, y a » 1,16 afor ^n- 

lute security can ever be made, but as h^SpJZ^ZSZTT ^ m N ° guarantee of ^o- 
<°~ a ~^ 
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30 [0139] 



35 



40 



45 



an existng SPU outside of its Wooded EH? ' « » h^wTT? "*!; e8 "° 1,88 pra " KIS 

through an information metering deuioe Jnioh k o'liklS' ^J* 1 * uhdemharaed. for information ^ 
suor, as tying to rollover the otook. or 5 S^rll^St ^ ^ S " Ch 8 ™» "V opetatono 
fere w» usage reporting or mered^. fXToSo aSn S " 9eS ' * ^ "** "*< <» 

[0141] in the information metering context usaae minht h. ho^ 

fail, it would be presumed that the cr'dit SSSiSS^Jl^iS^ credit limits, that should the SPU unit 
The user could only overcome this presumption by oh32£S!£l « 1 * ^ ,UnCti ° nS WOU,d be disab,e <<- 

-t had not been tampered wrth. or by remSeZ^^ Tr^^Z T* * What6Ver Servicin 9 a 9 ent *> f>*» 
agent would recertify the SPU device ,n,erro 9<«<on v.a modem for instance, and thereafter have the servicing 
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KI'e^eTC^^ 

oaton whieh illustrate me principles of the oreeem^SETS. J?* 1 "* " ,nreu » h * ""Ola eppH- 

use Of fho SPUroquippod PCMCW cardan 2£FT ■ m ° de5 ' W " Ca,i0n 18 

ates , simple deblHype card, programmed ^m^S^T^ f 016 ta *"" s 10 P'o»ide digital oash « ihus eper- 

S^iSr?" 'r ie ^^ts*** ,hro,,, "' - w a pin ni 

^-SrCSS,^^ ~ 20- . ,s - » means mean, 

updnpmgrammao-eso^. Pyrenees heroin ^r„S^ ^ISoTrr^ 
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F1G 1 The process starts 1001 by determining whether any detector has been set off 1002 H "not the process loops 

[0144] If the Photo Detector 16 is set off 1004, the ne* ,nquu> £££ ^ ^ ray machine at the airport, 
of time 1034. For example, the access card may ? have J^nTtSe event should just be logged 1042 
Such exposure should be very short term. ThuM f the exposures ^ffSSnm to connectors will henceforth be 
and the process returns, through connectors 1043 003 to. t ep 1 00 « ^ whether ^ detection is in con- 

dispensed with for the sake of duty). If the exposure , is S ^*JZTJ2 attack scenarios discussed earlier. If 

card permanently 1036. and tne process wuU| £^ My necessar) , „ ask .nattier It occurred in con- 

10,451 n too Temperature Detector 17 . eat* « ™£JJ£TLt» ,7 Lnatie in that it ia mora likely that 

to make sure that a serious attack is indeed being made ,on ^ »«^J* 14(a)) is ngger* (steps 1008.1009 
[01471 If either the ROLLOVER f».^^S^SSR2SiSoiB as this simply is not a time-sensi- 
respectively). it may be safe simply to ignore them 1028 and loop DacKio sx m 

tive application. trioaered 1 01 0 two situations are possible: (i) the error state; or (ii) 

[0148] If the Power Integrrty Check (FIG. 14(b)) is* .ggered 1 which mer its that the access 
the low-power state. In the error state, the contents of RAM Bar e no trustworthy, but the battery 
card be disabled permanently 1 036. In the Jj^-J* £££ Sta? the credit is not soon transferred 

Pa] , f eithertheBusMon*or(F^^ 

tion to do otherwise than to disable the access ^ J*™^ ™ a logical , irst step would be to determine if the 
[0150] If the Software Attack Monrtor (FIG. 17) is ^? er * "JS for example, to the access card being 
, Less card is still in the handshaKng phase "^^ifesSS between the card and the 
inserted into a card reader and various protocols attempted untjT a jWf" 1 ™ • ! ^ consideration. There- 

Sd reader. In other words, this "handshaking" process should be ^"^^^s ^proper PIN number being 
alter, a particularly important command ^^mSTate^ wS periS lot one'transaction 1 018. the 
issued by the user. Thus, the first fcme an comnwd .s given w.tn.n tn p ^ ^ ^ 

process may simply log the event 1042. The second time an "^SISI?^ not to do it again 1024. after which 
transaction 1020. the access card may '* u ° * m ^!^ received within the period of 

^elf SEEl!*^ is triggered, the process would loop back again to step 1002 to aw*t further 

S5T & the invention has been described in detail ^^^Z^^^^ 
S bi understood by one of ordinary «M in the art that v«~«J^^ £ ^ by the 

spirit and the scope of the invention. Accordingly, it is not .ntended that the invent 
so appended claims. 
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Claims 
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against potential attacks, the chip comprising: 

(a) a cryptographic engine for performing cryptographic operations on messages using a first key; 
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(b) one or more detectors for detecting events characteristic of an attack; and 

4. A secure chip according to claim 1 and further comprising: 

(a) an internal system clock for synchronising functions performed on the chip; and 

nl^Jc^ 

whereby the chip cannot be p.aced in an unknown state due to the receipt of asynchronous externa, signais 

6. A chip according to claim 1 and further comprising: 

(a) an internal bus for transferring information among components of the chip; 

^ f0f tranSferrin9 informati0n between ^ -"Ponents of the chip and externa, 

52 Z. *** * the * ***** transferred 

7. Ad* according to claim 6 wherein the bus monitor compares the contents of the input/output port before and 
W . firs transfer of less than all of the sensitive information desired to be transferred along the interna, bus; 
^et^ 

■ A chip according to claim 1 and further comprising: 
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reference operation, whether the number of elapsed actua. externa. Cook cycles lies within the range of 
expected external clock cycles, 
whereby the chip can detect unauthorised tampering with the external clock frequency. 
9 A chip according to claim 1 and further comprising: 

(b) a rollover detector for detecting whether the real time clock counter rolled over; and 

(c) a rollover bit, set upon detecting that the real time clock counter rolled over, 

quency. 

10. A chip according to claim 1 and further comprising: 

(a) a rewritable memory for storing sensitive information; 

(b) a power loss detector for detecting that the loss of both system and battery power is imminent; and 

rswritaUe memory and reset upon Hie detection of power loss, 
wnere* me chip ean de.ee, the need to sare the ssnsinve imormation prior to tho acWU loss o, both system and 
30 battery power. 

rewritable memory. 
12. A chip according to claim 1 wherein the chip comprises: 

(a) a rewritable memory for storing sensitive information having a substantially constant value; 

(b) a memory inverter for periodically inverting the contents of each eel, of the rewr*ab.e memory; and 

(c) a memory state bit for indicating whether the contents of each cel. of the rewritable memory are in their 
actual state, or in the inverted state, 

whereby thecontents of the rewritable memory contain effectively no residua, indication of the constant value of the 
sensitive information. 
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